

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>Certificate Management &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="升级 Ceph" href="../upgrade/" />
    <link rel="prev" title="OAuth2 Proxy" href="../services/oauth2-proxy/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Cephadm</a></li>
      <li class="breadcrumb-item active">Certificate Management</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/cephadm/certmgr.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Cephadm</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../compatibility/">Compatibility and Stability</a></li>
<li class="toctree-l2"><a class="reference internal" href="../install/">部署个全新的 Ceph 集群</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adoption/">现有集群切换到 cephadm</a></li>
<li class="toctree-l2"><a class="reference internal" href="../host-management/">Host Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../services/">Service Management</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Certificate Management</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#introduction">Introduction</a></li>
<li class="toctree-l3"><a class="reference internal" href="#certificate-management-behavior">Certificate Management Behavior</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#self-signed-certificates">Self-Signed Certificates</a></li>
<li class="toctree-l4"><a class="reference internal" href="#user-provided-certificates">User-Provided Certificates</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#configuration">Configuration</a></li>
<li class="toctree-l3"><a class="reference internal" href="#certificate-health-monitoring">Certificate Health Monitoring</a></li>
<li class="toctree-l3"><a class="reference internal" href="#known-certificates-and-keys">Known Certificates and Keys</a></li>
<li class="toctree-l3"><a class="reference internal" href="#certificate-scopes">Certificate Scopes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#reloading-certificate-manager">Reloading Certificate Manager</a></li>
<li class="toctree-l3"><a class="reference internal" href="#listing-certificates">Listing Certificates</a></li>
<li class="toctree-l3"><a class="reference internal" href="#listing-entities">Listing Entities</a></li>
<li class="toctree-l3"><a class="reference internal" href="#checking-certificate-status">Checking Certificate Status</a></li>
<li class="toctree-l3"><a class="reference internal" href="#listing-certificate-keys">Listing Certificate Keys</a></li>
<li class="toctree-l3"><a class="reference internal" href="#retrieving-a-certificate">Retrieving a Certificate</a></li>
<li class="toctree-l3"><a class="reference internal" href="#retrieving-a-certificate-key">Retrieving a Certificate Key</a></li>
<li class="toctree-l3"><a class="reference internal" href="#setting-a-certificate-key-pair">Setting a Certificate-Key Pair</a></li>
<li class="toctree-l3"><a class="reference internal" href="#setting-a-certificate">Setting a Certificate</a></li>
<li class="toctree-l3"><a class="reference internal" href="#setting-a-private-key">Setting a Private Key</a></li>
<li class="toctree-l3"><a class="reference internal" href="#removing-a-certificate">Removing a Certificate</a></li>
<li class="toctree-l3"><a class="reference internal" href="#removing-a-private-key">Removing a Private Key</a></li>
<li class="toctree-l3"><a class="reference internal" href="#generating-certificates">Generating Certificates</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../upgrade/">升级 Ceph</a></li>
<li class="toctree-l2"><a class="reference internal" href="../operations/">Cephadm operations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../client-setup/">Client Setup</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../dev/cephadm/">Cephadm Feature Planning</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="certificate-management">
<span id="orchestrator-cli-cert-management"></span><h1>Certificate Management<a class="headerlink" href="#certificate-management" title="Permalink to this heading"></a></h1>
<section id="introduction">
<h2>Introduction<a class="headerlink" href="#introduction" title="Permalink to this heading"></a></h2>
<p>Cephadm <cite>certmgr</cite> acts as the Root Certificate Authority (CA) for all
self-signed certificates generated by Cephadm. For services that require
SSL, admins have the option to either bring their own certificate or allow
Cephadm to generate a self-signed certificate. This ensures secure communication
while offering flexibility for deployment preferences.</p>
</section>
<section id="certificate-management-behavior">
<h2>Certificate Management Behavior<a class="headerlink" href="#certificate-management-behavior" title="Permalink to this heading"></a></h2>
<p>Cephadm <cite>certmgr</cite> automatically detects whether a certificate is self-signed
(generated by Cephadm) or user-provided. This distinction determines how it
handles expirations and renewals:</p>
<section id="self-signed-certificates">
<h3>Self-Signed Certificates<a class="headerlink" href="#self-signed-certificates" title="Permalink to this heading"></a></h3>
<ul class="simple">
<li><p><cite>certmgr</cite> can fully automate renewal, ensuring seamless service operation.</p></li>
<li><p>Automation is controlled by configuration parameters defining certificate
duration, renewal thresholds, and whether automated rotation is enabled.</p></li>
</ul>
</section>
<section id="user-provided-certificates">
<h3>User-Provided Certificates<a class="headerlink" href="#user-provided-certificates" title="Permalink to this heading"></a></h3>
<ul class="simple">
<li><p><cite>certmgr</cite> does not renew these automatically but continuously monitors
their status.</p></li>
<li><p>If an issue is detected (e.g., expiration is approaching), it issues
health warnings/errors <cite>CEPHADM_CERT_ERROR</cite> to alert administrators,
who must manually replace the certificate.</p></li>
</ul>
<p>This proactive approach ensures secure and uninterrupted service operations
while allowing users to manage certificate policies according to their needs.</p>
</section>
</section>
<section id="configuration">
<h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this heading"></a></h2>
<p>To manage certificate lifecycles, <cite>certmgr</cite> continuously monitors certificates
and applies renewal policies based on the certificate type and configured
parameters. Cephadm provides several configuration options to manage certificate
lifecycle and renewal:</p>
<ul class="simple">
<li><p><strong>`mgr/cephadm/certificate_automated_rotation_enabled`</strong> (default: <cite>True</cite>):
Enabled by default, this configuration option controls
whether Cephadm automatically rotates certificates upon expiration. This helps
ensure continuity and security without manual intervention. When disabled cephadm will
still check periodically the certificates but instead of automatically renewing self-signed
expired ones it will issue a health error/warning when an issue is detected.</p></li>
<li><p><strong>`mgr/cephadm/certificate_duration_days`</strong> (default: <cite>3 * 365</cite>, min: <cite>90</cite>, max: <cite>10 *
365</cite>): Specifies the duration (in days) of self-signed certificates generated
and signed by the Cephadm root CA. This determines the validity period before
renewal is required.</p></li>
<li><p><strong>`mgr/cephadm/certificate_renewal_threshold_days`</strong> (default: <cite>30</cite>, min: <cite>10</cite>, max:
<cite>90</cite>): Defines the number of days before a certificate’s expiration when
Cephadm should initiate renewal. This ensures timely replacement before
expiration occurs. This applies to both self-signed and user-provided
certificates. In the case of user-provided certificates, Cephadm will issue a
health error or warning alerting administrators about the upcoming renewal
period proximity.</p></li>
<li><p><strong>`mgr/cephadm/certificate_check_period`</strong> (default: <cite>1</cite>, min: <cite>0</cite>, max: <cite>30</cite>):
Specifies how often (in days) the certificate should be checked for validity.
This ensures timely detection of any issues related to certificate expiration.
Setting this to <cite>0</cite> disables the certificate check functionality.</p></li>
</ul>
</section>
<section id="certificate-health-monitoring">
<h2>Certificate Health Monitoring<a class="headerlink" href="#certificate-health-monitoring" title="Permalink to this heading"></a></h2>
<p>Cephadm continuously monitors the status of managed certificates. If any
certificate is found to be invalid or expired, Cephadm will issue a health error
with the code <cite>CEPHADM_CERT_ERROR</cite>. Additionally, if a certificate is
approaching its expiration date, Cephadm will generate a health warning. This
proactive alerting mechanism helps administrators take timely action to renew or
replace certificates before service disruptions occur.</p>
</section>
<section id="known-certificates-and-keys">
<h2>Known Certificates and Keys<a class="headerlink" href="#known-certificates-and-keys" title="Permalink to this heading"></a></h2>
<p>The <cite>CertMgr</cite> class maintains a list of known certificates and keys. These are
automatically documented below:</p>
</section>
<section id="certificate-scopes">
<h2>Certificate Scopes<a class="headerlink" href="#certificate-scopes" title="Permalink to this heading"></a></h2>
<p>Cephadm certmgr supports three different scopes for certificate management:</p>
<ol class="arabic simple">
<li><p><strong>Global Scope:</strong>
- Certificates in this scope are shared across all service daemons, regardless of which host they are running on.
- Example: <cite>mgmt-gateway</cite> certificate is a globally shared certificate used by all service daemons.</p></li>
<li><p><strong>Per-Host Scope:</strong>
- Certificates are assigned per host, meaning each host has its own unique certificate.
- When configuring a custom certificate, the user must specify the host for which the certificate applies.
- Example: <cite>grafana</cite> service cerificates are configured at the host level and applies specifically to a single machine.</p></li>
<li><p><strong>Per-Service Scope:</strong>
- Certificates are configured per service name, meaning each instance of a service can have its own certificate.
- When specifying a custom certificate, the user must define the service to which it belongs.
- Example: an <cite>rgw</cite> service certificate is assigned specifically and only to an RGW service</p></li>
</ol>
</section>
<section id="reloading-certificate-manager">
<h2>Reloading Certificate Manager<a class="headerlink" href="#reloading-certificate-manager" title="Permalink to this heading"></a></h2>
<p>Run the following command to reload the certificate manager configuration from the Monitors:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><style type="text/css">
span.prompt1:before {
  content: "# ";
}
</style><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>reload</span>
</pre></div></div><p>This command ensures that any changes made to certificate configurations are
applied immediately without requiring a service restart.</p>
</section>
<section id="listing-certificates">
<h2>Listing Certificates<a class="headerlink" href="#listing-certificates" title="Permalink to this heading"></a></h2>
<p>To list all available certificates managed by the orchestrator:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert<span class="w"> </span>ls<span class="w"> </span><span class="o">[</span>--show-details<span class="o">]</span></span>
</pre></div></div><p>This command displays an overview of all certificates currently managed by
cephadm. Using <code class="docutils literal notranslate"><span class="pre">--show-details</span></code> provides additional information, including issuing
authorities and certificate extensions.</p>
</section>
<section id="listing-entities">
<h2>Listing Entities<a class="headerlink" href="#listing-entities" title="Permalink to this heading"></a></h2>
<p>To list all entities associated with certificates:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>entity<span class="w"> </span>ls</span>
</pre></div></div><p>Entities represent services that utilize managed certificates.</p>
</section>
<section id="checking-certificate-status">
<h2>Checking Certificate Status<a class="headerlink" href="#checking-certificate-status" title="Permalink to this heading"></a></h2>
<p>To check the status and validity of a specific certificate:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert<span class="w"> </span>check</span>
</pre></div></div><p>This command verifies the integrity and expiration status of all managed certificates.</p>
</section>
<section id="listing-certificate-keys">
<h2>Listing Certificate Keys<a class="headerlink" href="#listing-certificate-keys" title="Permalink to this heading"></a></h2>
<p>To list all private keys associated with managed certificates:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>key<span class="w"> </span>ls</span>
</pre></div></div><p>This command shows which keys are currently managed by cephadm.</p>
</section>
<section id="retrieving-a-certificate">
<h2>Retrieving a Certificate<a class="headerlink" href="#retrieving-a-certificate" title="Permalink to this heading"></a></h2>
<p>To retrieve the content of a specific certificate:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert<span class="w"> </span>get<span class="w"> </span>&lt;certificate_name&gt;<span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--no-exception-when-missing<span class="o">]</span></span>
</pre></div></div><p>Replace <cite>&lt;certificate-name&gt;</cite> with the actual certificate name from <cite>ceph
orch certmgr cert ls</cite>. For certificates with host or service scope, include
the <cite>--hostname</cite> or <cite>--service_name</cite> arguments as needed.</p>
</section>
<section id="retrieving-a-certificate-key">
<h2>Retrieving a Certificate Key<a class="headerlink" href="#retrieving-a-certificate-key" title="Permalink to this heading"></a></h2>
<p>To retrieve the private key associated with a specific certificate:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>key<span class="w"> </span>get<span class="w"> </span>&lt;key_name&gt;<span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--no-exception-when-missing<span class="o">]</span></span>
</pre></div></div><p>Replace <cite>&lt;key-name&gt;</cite> with the actual certificate name from <cite>ceph
orch certmgr key ls</cite>. For certificates with host or service scope, include
the <cite>--hostname</cite> or <cite>--service_name</cite> arguments as needed.</p>
</section>
<section id="setting-a-certificate-key-pair">
<h2>Setting a Certificate-Key Pair<a class="headerlink" href="#setting-a-certificate-key-pair" title="Permalink to this heading"></a></h2>
<p>To associate a certificate with a private key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert-key<span class="w"> </span><span class="nb">set</span><span class="w"> </span>&lt;entity&gt;<span class="w"> </span><span class="o">[</span>--cert<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--key<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>-i<span class="w"> </span>&lt;cert-key-path&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--force<span class="o">]</span></span>
</pre></div></div><p>Use this command to upload or replace an existing certificate/key pair
for a certain service. Replace <cite>&lt;entity-name&gt;</cite> with the actual
certificate name from <cite>ceph orch certmgr entity ls</cite>. The -i option
can be used to specify a file containing a combined certificate and
key in PEM format. This file should include both the certificate and
private key concatenated together.</p>
</section>
<section id="setting-a-certificate">
<h2>Setting a Certificate<a class="headerlink" href="#setting-a-certificate" title="Permalink to this heading"></a></h2>
<p>To update or set a new certificate:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert<span class="w"> </span><span class="nb">set</span><span class="w"> </span>&lt;certificate_name&gt;<span class="w"> </span><span class="o">[</span>--cert<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>-i<span class="w"> </span>&lt;cert-path&gt;<span class="o">]</span></span>
</pre></div></div><p>Use this command to add or replace an existing certificate.</p>
</section>
<section id="setting-a-private-key">
<h2>Setting a Private Key<a class="headerlink" href="#setting-a-private-key" title="Permalink to this heading"></a></h2>
<p>To update or set a new private key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>key<span class="w"> </span><span class="nb">set</span><span class="w"> </span>&lt;key-name&gt;<span class="w"> </span><span class="o">[</span>--key<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>-i<span class="w"> </span>&lt;key-path&gt;<span class="o">]</span></span>
</pre></div></div><p>This command allows administrators to provide new private keys for services.</p>
</section>
<section id="removing-a-certificate">
<h2>Removing a Certificate<a class="headerlink" href="#removing-a-certificate" title="Permalink to this heading"></a></h2>
<p>To remove an existing certificate:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>cert<span class="w"> </span>rm<span class="w"> </span>&lt;certificate_name&gt;<span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span></span>
</pre></div></div><p><strong>Note:</strong> For certificates with host or service scope, use the <cite>--service-name</cite> or <cite>--hostname</cite> option to specify the target.</p>
<p><code class="docutils literal notranslate"><span class="pre">&lt;certificate_name&gt;</span></code> must be a valid certificate name. Use <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">orch</span> <span class="pre">certmgr</span> <span class="pre">cert</span> <span class="pre">ls</span></code> to list supported certificates.</p>
</section>
<section id="removing-a-private-key">
<h2>Removing a Private Key<a class="headerlink" href="#removing-a-private-key" title="Permalink to this heading"></a></h2>
<p>To remove an existing private key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>key<span class="w"> </span>rm<span class="w"> </span>&lt;key-name&gt;<span class="w"> </span><span class="o">[</span>--service_name<span class="w"> </span>&lt;value&gt;<span class="o">]</span><span class="w"> </span><span class="o">[</span>--hostname<span class="w"> </span>&lt;value&gt;<span class="o">]</span></span>
</pre></div></div><p><strong>Note:</strong> For keys with host or service scope, use the <cite>--service-name</cite> or <cite>--hostname</cite> option to specify the target.</p>
<p><code class="docutils literal notranslate"><span class="pre">&lt;key_name&gt;</span></code> must be a valid key name. Use <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">orch</span> <span class="pre">certmgr</span> <span class="pre">key</span> <span class="pre">ls</span></code> to list supported keys.</p>
</section>
<section id="generating-certificates">
<h2>Generating Certificates<a class="headerlink" href="#generating-certificates" title="Permalink to this heading"></a></h2>
<p>To automatically generate a new certificate and key pair:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">cehp<span class="w"> </span>orch<span class="w"> </span>certmgr<span class="w"> </span>generate-certificates<span class="w"> </span>&lt;module_name&gt;</span>
</pre></div></div><p>This command provisions new certificates for specified Manager module.</p>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../services/oauth2-proxy/" class="btn btn-neutral float-left" title="OAuth2 Proxy" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../upgrade/" class="btn btn-neutral float-right" title="升级 Ceph" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>